Tweet This

Another day, another data breach. At least that's what it feels like after the data firm Hold Security made public its discovery that a gang of Russian hackers has made off with a cache of 1.2 billion user name/password combinations and more than 500 million email addresses. As reported by the New York Times, this represents "the largest known collection of stolen Internet credentials." The sites from which the data was stolen range from "Fortune 500 companies to very small websites," Alex Holden, founder of Hold Security, told the Times. And while Holden has declined to identify specific sites that were targeted, he cautions, "most of these sites are still vulnerable."

While this latest episode reinforces the notion that hackers are usually one step ahead of the companies you've been trusting to house your personal information, the situation is not quite as desperate as you may be tempted to believe, if you're willing to take a more proactive approach to your online security.

The first step to minimizing data theft is to avoid Wi-Fi networks that are prone to digital eavesdropping. As I wrote in an earlier story, "It takes zero hacking skills to surreptitiously monitor and/or hijack communications over a public Wi-Fi network. Widely available freeware makes eavesdropping on emails and web browsing as simple as pressing a button." So that free Wi-Fi hotspot in the hotel lobby or downtown plaza is never going to be very secure. And the very popularity of these hotspots–everybody likes free–makes them such enticing targets that you're actually safer on your home wireless network. And don't make the mistake of thinking that requiring a password makes a public hotspot more secure. If that password is written on the counter or being handed out to customers who ask for it, that's as bad as having no password at all.

When you have no choice but to use public Wi-Fi, take a moment to verify the name of the network you're supposed to be logging onto. One common trick among hackers is to set up a fully functioning hotspot and give it a name very similar to the legitimate network and then wait for unsuspecting users to log onto their rogue network instead. As a user things will seem perfectly normal. You can visit any site you want. The problem is that all of your communication (logins, emails, payment info, etc.) is now being collected in real-time by the hacker.

You should also limit the types of sites you visit while on a public network. Checking your Instagram feed is one thing, but you should hold off on logging in to any banking or financial sites until you're on a private network. And certainly avoid making purchases or doing anything else that requires you to enter your credit card information.

Use a password manager. Now.

1Password lets you create and store usernames and passwords for all the sites you visit while removing the burden of having to memorize them.

You can probably recite the rules for creating a secure password in your sleep. Make it long. Avoid dictionary words. Include numbers and symbols. Don't write it down or reuse it on other sites. Fulfilling all of these requirements is impossible. Unless you use a password manager to do the heavy lifting for you. There are dozens of these apps to choose from and they all work on the premise that you should only need to remember one password. With this master password you can then unlock access to the dozens, if not hundreds of username/password combinations you've acquired. The apps work by storing the login credentials for every site you visit in a virtual vault (the data itself is encrypted). To unlock the vault, you enter your master password.

For convenience, these apps come with browser plugins that can automatically fill out login forms with your username and password at the press of a button, no typing required. Just as importantly, they also have built-in password generators that can create long, complex passwords for the sites you visit. And you don't have to memorize them. The next time you return to a site's login page, the password manager can select the appropriate user credentials and fill in the fields on its own. The password manager I've been using for several years now is 1Password. In addition to storing passwords, the app can also manage credit card and bank account information. Available on Mac, Windows, iOS and Android platforms, 1Password, by default, stores its vault locally, on the device on which the app is installed. While this is more secure than using cloud storage to house your data, it prevents you from having identical password access across all of your other devices. Fortunately, 1Password allows you to use Dropbox to store your vault, making it accessible to to any device for which you have a 1Password license. Of course, going this route means that you should have a very secure Dropbox password, one that isn't recycled for use on other sites. But making those requirements painless is what password managers are all about in the first place.

You need a licensed version of 1Password for every device you'll be using it on. In my case that meant paying $50 for the desktop Mac version and an additional $18 for the iOS app used on my iPhone and iPad. The Android version is available in a freemium pricing model. Adding the ability to create passwords, as opposed to simply filling out web pages with pre-existing ones, will cost $10. Other, cloud-based password managers charge a monthly subscription, which of course will cost you more in the long run. Some, like LastPass are actually free. But when it comes to securing my data, I'm more than happy to pay to support developers who are helping to keep my credentials private. You should be too.

Browse the Web with a VPN

No matter whose network you're using to go online, if you want to maximize your privacy, making it much more difficult for others to monitor your online behavior, using a VPN (virtual private network) has become a viable option even for casual web users. In an earlier story I laid out the benefits of a VPN service in detail. Normally, when you connect to a network, your computer communicates directly with the Internet, broadcasting a unique IP address that identifies that computer along with its physical location as "yours". This communication is often unencrypted, so that anyone logging that traffic (like your ISP) can know every site you visit and what you do while you're there. In a nutshell, using a VPN service interrupts this direct connection by using a server that acts as a middleman between your computer and the Internet. All of the communication between your computer and the VPN server is encrypted so that even if someone does intercept it, significant effort would be needed to actually make any sense of it. The VPN server is now the entity communicating directly with the web sites you visit. This server can be located in a different city, country, or continent than your physical location, so there's nothing identifying your whereabouts. In addition, this VPN server is being shared simultaneously by many other users. This provides anonymity in numbers, since to the Internet, the traffic from every computer that's being routed through the VPN server appears to be coming from a single user. This not only makes stealing your information more difficult, it also eliminates targeted advertising. Pair a VPN service with the "incognito" mode on your browser, and you've got a double dose of Internet privacy.

Several VPN services are available, costing anywhere between $5-10 per month (less with an annual commitment). Two that I've had great experience with are Private Internet Access and TunnelBear. Both offer support for Windows, Mac, Android, and iOS devices (Private Internet Access supports Linux as well). There are free services out there, but again, even in the age of "free", Internet security is something you really should be willing to pay for.–